Keeping Information Security Simple – Multi-Factor Authentication

Washington University Community:

Thank you for the positive feedback on June’s first issue of our new Information Security Bulletin, “Secured!” If you missed it, you can read it and other articles of interest at

For almost a decade, I’ve been trying to “Keep Information Security Simple” (KISS) for my clients, employers, and friends. KISS is a great acronym, and it makes many people think of the age-old adage “Keep It Simple, Stupid,” which I’ve always hoped would make the potentially intimidating topic of information security more approachable.

Try as I might to Keep Information Security Simple, it’s a complicated endeavor. But, I think I have at least made it understandable, and more importantly, doable.

In the first issue, I argued that the university truly needs your help to prevent cybercrime. If we don’t all exercise care, no technical defenses are sufficient to protect us. As your CISO, if I could ask everyone to do just one thing to protect themselves in their personal and professional life, it would be this:

The One Thing 

It’s 2-Factor Authentication (2FA). (Note that some vendors call it Multi-Factor Authentication (MFA) or 2-Step Verification (2SV)).

Authentication is a fancy word for logging in, and we are all familiar with the idea of using a username and password to log in to an account. In this case, the password is one factor. Over the past few years, WUSTL Key logins, and especially remote-access logins, have made us familiar with entering a code from or tapping “approve” in the DUO app on our cellphones. These codes are considered second factors and dramatically reduce the likelihood—by a huge percentage—that your account will be hacked.

At WashU, we use WUSTL Key to log in, and DUO provides 2FA if you are off campus. Being on campus offers a type of 2nd Factor, so we usually don’t require 2FA on-campus. For the most part, you don’t have any control over whether WUSTL Key logins require a 2nd Factor.

However, in other areas of your life, whether social media, personal email, banking, shopping, investing, and healthcare, you should add a 2nd factor to your login whenever possible. Sometimes this involves an app like DUO, but even a text message or emailed 2nd-factor step in the login process will reduce the odds that your account is hacked by 99%. If your important online accounts don’t allow 2FA, it’s time to switch to providers who do.

If you’re already set up with 2FA and looking for some information security extra credit, read on for a few bonus opportunities.

A Bonus Thing about Passwords

As long as I’m writing about authentication basics with username, password, and a 2nd Factor, there is an important point to make about the passwords part. In short, it is most important that you use unique passwords for all your different accounts.

Why do passwords need to be unique and unrelated?

Because if hackers obtain your password for one account, you don’t want them to have access to all your accounts. Making them unique by adding numbers or the names of the services to them does little to help. After all, if they learn that your Facebook account password is “BadPswdFacebook,” it isn’t too much of a stretch to think your Twitter password might be “BadPswdTwitter.” Further, hacker password-guessing tools will automatically try changing “BadPswd1” to “BadPswd2.”

You need unique and difficult passwords for every account. The best advice on how difficult your passwords should be has changed.

Instead of having passwords with eight, twelve, or more characters of nearly impossible-to-remember-or-type, upper-and-lowercase characters, numbers, and symbols, the National Institute of Standards and Technology (NIST) now recommends that we use “passphrases.” Passphrases such as “The quick brown fox jumped over the lazy dog” are difficult because they are long, but they are easy to remember and type. I often look around the room when creating a passphrase, selecting several objects for inspiration, such as “big red book green sofa.”

Unfortunately, you’ll find many companies and systems still require use of those hard to remember and type passwords. Which brings us to another great thing.

Double Bonus Thing – Use a Password Manager

As I mentioned above, you need unique passwords for each different account. Of course, remembering and keeping straight many unique and unrelated passwords is pretty tricky, even if they are passphrases.

The solution for this is a password manager like LastPass. The WashU Office of Information Security articles linked below contain helpful information about password managers.

Ask The Experts: Password Management | Office of Information Security

The Magical World of Password Managers | Office of Information Security

Using these simple, do-able strategies, you can protect your data and accounts from security breaches. In the rest of the newsletter, we’ll show you how to detect phishing, avoid common Workday phishing scams, and use your existing skills in source vetting to protect yourself from cybercrime. Thank you for your interest in information security and your participation in our ongoing fight against cybercrime.

-Chris Shull, CISO